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Registering Copy Protected Material in a Check-Out, Check-In System 

This application claims the benefit of U.S. Provisional Application No. 60/13 1,993 filed 30 
April 1999, Attorney Docket PHA-23,671P. 

5 

BACKGROUND OF THE INVENTION 

1 . Field of the Invention 

This invention relates to the field of consumer devices, and in particular to techniques 
for preventing or discouraging the illicit duplication of copy protected material. 

10 

2. Description of Related Art 

Techniques are continually being proposed and developed to prevent or discourage the 
illicit duplication of copy-protected material, such as commercial music recordings. These 
techniques generally attempt to limit the number of copies that can be made fi-om a legitimate 
1 5 copy of the copy-protected material. At the same time, the purchaser of this legitimate copy 
expects to have unlimited rights for copying this material for his or her private purposes. For 
example, the typical purchaser has access to multiple means for playing and recording the 
material, and expects to be able to play the purchased material on each of these means, without 
constraints. 

20 Increasingly common in the art is the use of flash memory cards to record content 

material for playback on small portable devices. These flash memory cards, or similar 
electronic memory devices, have an advantage over conventional recording media such as discs 
or tapes, in that they contain no moving parts and are thus more reliable and robust. Similarly, 
the playback devices for these memory cards need not contain movement mechanisms and are 

25 therefore also more reliable, robust, and, in general, less expensive than conventional players. 
The electronic memory devices and corresponding players are also generally much smaller than 
conventional discs or tapes and corresponding players, and generally consume less power, 
further increasing their suitability for use as portable playback systems. 

One method for limiting the abihty to copy the content material is a "check-out/check- 

30 in" system. In this, as in other protection schemes presented herein, it is assumed that the 
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copying and playback devices are "conforming" devices, in that they conform to the standards 
used to protect copy-protected material. When a copy of the material is made from a providing 
device to a portable medium, the conforming providing device prevents additional copies from 
being made until the portable medium containing the copy is returned to the providing device. 
5 That is, the check-out/check-in system provides a "one-at-a-time", or an "at-most-N-at-a-time", 
copy scheme to limit the number of simultaneously available copies of protected content 
material. 

A check-out/check-in system is susceptible to a variety of attacks intended to overcome the 
security provided by a check-out/check-in system. The most straightforward attack is one in 

10 which a non-conforming device is used to receive the material. After receiving the material, the 
non-conforming device provides unlimited copies. Another attack is one in which a non- 
conforming device "checks-in" material that another device received. A conforming device can 
receive/check-out the material, the non-conforming can "check-in" the material, and another 
conforming device can then receive the material, because the check-out/check-in system 

1 5 believes that the other copy has been returned. In this manner, an unlimited number of copies 
can be made to conforming devices, such as the aforementioned flash memory cards. 

BRIEF SUMMARY OF THE INVENTION 
It is an object of this invention to provide a reliable check-out/check-in system and 
20 method for limiting the number of copies of protected content material that are simultaneously 
available. It is a further object of this invention to provide a reliable system and method for 
assuring that protected content material is provided only to devices that conform to copy 
protection standards established for protecting the content material. It is a further object of this 
invention to provide a reliable system and method for assuring that the device that checks-out 
25 content material is the same device that checks-in the content material. 

These objects and others are achieved by a check-out/check-in system that is configured 
to a) verify that the receiving device is a certified conforming device, and b) verify that the 
device that checks-in content material is the same device that checked-out the content material. 
The verification of the receiving device is effected via a conventional certification process. The 
30 verification that the same device is used for check-in and check-out is effected via a secure 
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challenge-response protocol. As contrast to a conventional contemporaneous challenge- 
response protocol, the system provides a unique challenge that is specific to the receiving 
device when the content material is checked-out, and verifies the appropriate response when the 
content material is checked-in. Because the challenge-response is specific to the receiving 
5 device, only the device that receives the challenge when the content material is checked-out can 
provide the appropriate response when the content material is checked-in. 

BRIEF DESCRIPTION OF THE DRAWINGS 
The invention is explained in further detail, and by way of example, with reference to 
1 0 the accompanying drawings wherein: 

FIG. 1 illustrates an example block diagram of a check-out/check-in system in accordance with 
this invention. 

FIG. 2 illustrates an example flow diagram of a check-out/check-in system in accordance with 
this invention. 

1 5 Throughout the drawings, same reference numerals indicate similar or corresponding 

features or functions. 

DETAILED DESCRIPTION OF THE INVENTION 
This invention is based on the premise that a reliable check-in/check-out system has two 
fundamental requirements. Such a system requires a reliable means of verifying that the 

20 receiving device is a certified conforming-device. Otherwise, the copy provided to a potentially 
non-conforming device may be illicitly reproduced, thereby obviating the copy protection 
provided by a check-out/check-in system. Additionally, the system requires a reliable means of 
verifying that the checked-in material is being returned from the same certified conforming- 
device that initially checked-out the material. Otherwise, a non-conforming device can be used 

25 to 'check-in' material that another device, including a conforming device, received. Other 

security techniques, common in the art, may also be applied, for increased copy and distribution 
protection. 

FIG. 1 illustrates an example block diagram of a check-out/check-in system in 
accordance with this invention. The check-out/check-in system includes a check-out/check-in 
30 device 1 00 and a receiving device 200. The check-out/check-in device includes a catalog 
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controller 110 that controls access to a catalog of content material 150 to certified receiving 
devices. The controller 110 limits the number of copies of each content material 150 that are 
simultaneously available. In a preferred embodiment, the controller 1 10 maintains a count of 
the number of copies of the content material 150 that have been provided to, or "checked-out" 
5 to, certified receiving devices, and refuses to provide additional copies when a pre-defined limit 
is reached. The check-out/check-in system allows a receiving device 200 to "return", or "check- 
in" a copy of the content material 150, so that it can be provided to another receiving device. 
The receiving device 200 is presumed to be a conforming device, and a "return" of the material 
1 50 corresponds to a termination of access to the copy of the content material 1 50 by the 

10 receiving device 200, and the "return" is a notification to the check-out/check-in device 100 that 
the receiving device 200 has terminated the access. Upon receipt of the "return" notification, the 
check-out/check-in device 100 decrements the count of the number of copies of the content 
material 150 that have been provided to receiving devices, thereby allowing another copy of the 
content material 1 50 to be provided to a certified receiving device. 

15 A conforming receiving device 200 includes a "certificate" 21 1 that is issued by a 

trusted authority to certify that the receiving device is a device that is configured to conform to 
standards that have been established to protect copy protected content material. This certificate 
2 1 1 typically includes a public key of a public-private key pair that is associated with the 
receiving device 200, the identity of the receiving device, and a digital signature based on a 

20 private key that is associated with the trusted authority. The digital signature binds the identity 
of the receiving device to the public key to the public key of the receiving device. The receiving 
device 200 communicates this certificate 2 1 1 to a certification verifier 120 in the check- 
out/check-in device 100. The certification verifier 120 applies a public key associated with the 
trusted authority to verify a correspondence between the communicated public key and the 

25 identity and authenticity of the receiver by means of the digital signature in the certificate 211. 
Because only the trusted authority can be expected to provide a digital signature that can be 
verified by the trusted authority's public key, the proper verification of the digital signature is a 
certification that the receiving device 200 is an authorized recipient for protected content 
material. 
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When the certificate is verified, the catalog controller 1 10 provides/checks-out the 
selected content material 150 to the receiving device 200, provided that the selected content 
material 150 has not already been checked-out to the maximum number of simultaneous 
receivers, based on the count parameter discussed above. That is, for example, if the content 
5 material 1 50 is limited to a single-copy-at-a-time distribution, then the catalog controller 1 10 
will check-out the content material 150 to the receiving device 200 if and only if no other 
receiving device has checked-out this content material 150 and has not yet returned it. 

In accordance with this invention, when the catalog controller 1 10 provides the copy of 
the content material 150 to the receiving device 200, the catalog controller 1 10 also issues a 

10 secure "challenge" to the receiving device, using any of a number of challenge-response 

protocols. In the example embodiment, the challenge is an encryption of a random number 135, 
based on the aforementioned public key of the public-private key pair that is associated with the 
receiving device 200. The random number 135 is provided by any number of techniques 
common in the art, including a pseudo-random number generator, a selection from a list, and so 

15 on. As noted above, preferably the certificate 21 1 contains this public key, and the certification 
verifier 120 provides this certified pubUc key to an encrypter 130 to effect the encryption of the 
random number 135. The receiving device 200 stores the challenge in its memory 210, along 
with the associated content material 150. 

As in conventional transfer systems, the content material 150 is provided to the 

20 receiving device in a secure form. The content material 1 50 may be encrypted using the 

aforementioned public key of the receiving device, and subsequently decrypted by the receiving 
device using a decrypter 230 and the receiving device's corresponding private key 212. 
Alternatively, the content material 150 may be encrypted using a particular key, and this 
particular key is encrypted using the public key of the receiving device. The receiving device 

25 200 decrypts the encrypted key using the private key 212, and uses the decrypted key to decrypt 
the content material 150. These and other techniques for communicating protected content 
material are common in the art. 

When a user of the receiving device 200 decides to retum/check-in the content material 
to the check-out/check-in device, to allow another device to receive a copy of the content 

30 material, the receiving device is placed in communication with the check-out/check-in device, 
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and the check-in process is initiated. In accordance with this invention, when placed in a check- 
in state, a security device 220 in the receiving device 200 erases the selected content material 
150 from its memory 210, or otherwise terminates access to this content material 150, and 
communicates a "response" to the aforementioned "challenge" that was received when the 
5 content material 1 50 was received. In the example embodiment, the decrypter 230 within the 
security device 220 decrypts the encrypted random number that was received, and 
communicates the decrypted random number to the return verifier 140 of the check-out/check- 
in device 100. The return verifier compares the received decrypted random number to the 
original random number 135 to verify that the receiving device 200 is the same device that 
10 received the content material 150, Note that because the receiving device is assumed to be the 
only device having access to the receiving device's private key 212, and the encryption of the 
random number 135, and the content material 150, is based on the receiving device's pubUc 
key, only the receiving device can return a decrypted random number that matches the original 
random number 135. 

1 5 As will be evident to one of ordinary skill in the art, the catalog controller will typically 

contain a variety of content material that can be checked-out, and will typically check-out 
selected content material to a variety of receiving devices. Not illustrated, the catalog controller 
1 10 and/or the return verifier 140 will contain a list of each checked-out content material and 
the random number associated with each checked-out content material, to effectively manage 

20 the check-out/check-in process. In like manner, each content material may have a different limit 
to the number of copies that may be simultaneously provided, with some content material 
allowing an unlimited number of simultaneous copies, and the catalog controller 1 10 is 
configured to enforce each limit as required. 

FIG. 2 illustrates an example flow diagram of a check-out/check-in system in 

25 accordance with this invendon. At 3 1 0, the check-out/check-in device receives a transaction 
request that includes an identification of the content material, and a certificate that verifies that 
the receiving device is a conforming device. As discussed above, in a preferred embodiment, 
the certificate includes the public key of a public-private key pair that is associated with the 
receiving device. If, at 3 1 5, the certificate is determined to be invalid, the process is aborted; 

30 otherwise, the type of transaction is determined, at 325. If the transaction is a request to check- 
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out content material, the current count of the number of copies of the requested content material 
is compared to the limit of the number of simultaneous copies permitted, at 335. If the number 
of currently checked-out copies is not less than the limit, the process is aborted. If the number 
of currently checked-out copies is less than the limit, a challenge is generated, at 340, and the 
5 challenge and the content material are transmitted to the receiving device, at 350. The current 
count of the number of checked-out copies is incremented, at 360, thereby corresponding to a 
check-out of the content material. 

If, at 325, the transaction is a retum/check-in of content material, the check-out/check-in 
device receives the response to the challenge that was given to the receiving device checked-out 

10 the content material, at 370. If the response is an appropriate response to the challenge, at 375, 
the current count of the number of checked-out copies of the content material is decremented, at 
380, thereby corresponding to a "return" of the content material, and the process continues. If 
the response does not correspond to the challenge, at 375, the count is not decremented. 

After incrementing or decrementing the count, or after aborting, the process continues at 

1 5 390, typically by looping back to step 3 10, to await another transaction request. Note that the 
flow 3 1 0-325 can be modified to bypass the 're-certification' of the receiving device when 
content material is being returned, on the assumption that only a previously certified receiving 
device will be able to provide an appropriate response to the challenge, at 370. 

The foregoing merely illustrates the principles of the invention. It will thus be 

20 appreciated that those skilled in the art will be able to devise various arrangements which, 

although not expHcitly described or shown herein, embody the principles of the invention and 
are thus within the spirit and scope of the following claims. 



F:\WPDOCS\TH\A-SPECS\PHA23, 671 .doc 7 



CLAIMS 

I claim: 

1 . A method for limiting simultaneous copies of content material , comprising: 
communicating a copy of the content material to a receiving device , 
5 communicating a security challenge to the receiving device when the copy of the 

content material is communicated to the receiving device , and 

receiving a security response, based on the security challenge, from the receiving 

device when the copy of the content material is removed from the receiving device . 



10 2. The method of claim 1, ftirther including 

verifying a certification of the receiving device before communicating the copy of the 
content material to the receiving device . 



3. The method of claim 1, further including 

15 maintaining a count of the simultaneous copies of the content material , including: 

incrementing the count when the copy of the content material is communicated 
to the receiving device , and 

decrementing the count when the security response is received from the 
receiving device , and 
20 wherein 

communicating the copy of the content material is dependent upon the count of the 
simultaneous copies. 

4. The method of claim 1, further including: 
25 generating a random number, and 

encrypting the random number via a public key of a public-private key pair that is 
associated with the receiving device to form the security challenge, and 
wherein 

the security response includes the random number. 

30 
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5. The method of claim 4, further including 

verifying a certification of the receiving device before communicating the copy of the 
content material to the receiving device , and 

wherein 

5 the certification of the receiving device includes a public key of the public-private key 

pair of the receiving device . 



10 

6. A check-out/check-in device comprising: 

a catalog controller that is configured to provide a limited number of simultaneous 
copies of content material to one or more receiving devices, 
1 5 an encrypter that is configured to provide a security challenge to a receiving device of 

the one or more receiving devices when the catalog controller provides a copy of the content 
material to the receiving device , and 

a return verifier that is configured to: 

receive a security response from the receiving device when the copy of the 
20 content material is removed from the receiving device , and 

notify the catalog controller whether the security response corresponds to an 
appropriate response to the security challenge. 

7. The check-out/check-in device of claim 6, further including 

25 a certification verifier that is configured to verify a certification of the receiving device 

, and 

wherein 

the catalog controller is further configured to provide the content material in 
dependence upon the certification of the receiving device . 

30 
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8. The check-out/check-in device of claim 6, wherein 

the catalog controller is fbrther configured to maintain a count of the simultaneous 
copies of the content material , 
wherein, 

5 the catalog controller is configured to: 

increment the count when the copy of the content material is communicated to 
the receiving device , and 

decrement the count when the security response is received from the receiving 

device , and 

1 0 provide the copy of the content material in dependence upon the count of the 

simultaneous copies. 

9. The check-out/check-in device of claim 6, wherein 

the encrypter is configured to encrypt a random number via a public key of a public- 
1 5 private key pair that is associated with the receiving device to form the security challenge, and 
the return verifier is configured to compare the security response to the random number 
to determine whether the security response corresponds to the appropriate response to the 
security challenge. 

20 10. The check-out/check-in device of claim 9, further including 

a certification verifier that is configured to verify a certification of the receiving device 

, and 

wherein 

the catalog controller is fiirther configured to provide the content material in 
25 dependence upon the certification of the receiving device , and 

the certification of the receiving device includes a public key of the pubUc-private key 
pair of the receiving device . 
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1 L A receiving device that receives content material and a corresponding security challenge 
from a check-out/check-in device , comprising: 

a memory that is configured to store the content material and the corresponding 
security challenge, and 
5 a security device that is configured to: 

erase the content material fi'om the memory , and 

communicate a security response to the check-out/check-in device , based on the 
security challenge that is associated wiih the content material . 



10 12. The receiving device of claim 1 1 , v^herein 

the security device is further configured to communicate a certification of the receiving 
device to the check-out/check-in device to enable the check-out/check-in device to provide 
the content material to the receiving device . 

15 13. The receiving device of claim 1 1 , wherein 
the security device includes: 

adecrypter that decrypts the security challenge via a private key of a public- 
private key pair that is associated with the receiving device to form the security response. 

20 14. The receiving device of claim 13, wherein 

the security device is fiirther configured to communicate a certification of the receiving 
device to the check-out/check-in device to enable the check-out/check-in device to provide 
the content material to the receiving device , and 

the certification of the receiving device includes a public key of the public-private key 
25 pair of the receiving device . 
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Registering Copy Protected Material in a Check-In, Check-Out System 



ABSTRACT OF THE DISCLOSURE 



5 In a limited-copy protection scheme^ a check-out/check-in system is configured to a) 

verify that the receiving device is a certified conforming device, and b) verify that the device 
that checks-in content material is the same device that checked-out the content material. The 
verification of the receiving device is effected via a conventional certification process. The 
verification that the same device is used for check-in and check-out is effected via a secure 

1 0 challenge-response protocol As contrast to a conventional contemporaneous challenge- 
response protocol, the system provides a challenge that is specific to the receiving device when 
the content material is checked-out, and verifies the appropriate response when the content 
material is checked-in. Because the challenge-response is specific to the receiving device, only 
the device that receives the challenge when the content material is checked-out can provide the 

1 5 appropriate response when the content material is checked-in. 



20 
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City 

Spring Valley 


State or Country 

New York 


Zip Code 

10977 




Dated: 


Inventor's Signature: 


Full Name 
of 

Inventor 


Last Name: 


First Name : 


Middle Name: 


Residence 
& 

Citizenship 


City 


State or Foreign Country 


Country of Citizenship 


Post 

Office 

Address 


Street 


City 


State or Country 


Zip Code j 
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